Firewall Wizards mailing list archives
Re: Third Party Audit of a Firewall
From: C Matthew Curtin <cmcurtin () interhack net>
Date: Sun, 1 Feb 1998 22:52:53 -0500 (EST)
"Chad" == Chad Schieken <cschieke () advsys com> writes:
Matt> I'm not sure I'd show this documentation to the auditors. Chad> I disagree with that stance. It seems to only test the skill of Chad> auditor, not the strength of the firewall. The real point of not showing the documentation to the auditors would be to test the quality of the documentation. The documentation is what someone will point to in order to find out what the state of the system is, what risks are, etc. If the documentation is out of sync with the way things are, it's useless, or maybe worse. The auditors, of course, will determine the real state of things. My approach is hardly a magic cure-all for auditing, but it seems to provide two useful services in one job: determination of the documentation's quality (and/or how well the written policy has been implemented), as well as weaknesses that might have been overlooked in the original design and/or implementation. -- Matt Curtin cmcurtin () interhack net http://www.interhack.net/people/cmcurtin/
Current thread:
- Re: Third Party Audit of a Firewall C Matthew Curtin (Feb 02)